Abstract: Disclosed herein are systems and method for isolating private information in streamed data. In an exemplary aspect, a method may comprise receiving a stream of data, for storage in a first storage device, and an indication of how the stream will be utilized by an end user. The method may comprise comparing the indication against a plurality of rules, wherein each rule indicates a type of private information that should be isolated from a given input stream based on a respective indication of usage for the given input stream. The method may comprise identifying and extracting a first type of private information that should be isolated from the stream, modifying the stream by removing the first type of private information from the stream, storing the modified stream in the first storage device, and storing the extracted first type of private information in a different location from the modified stream.

Abstract: Computer system for performing biometric matching in a way that balances accuracy level required in the biometric matching against computing resources (for example, processor cycles) that will be needed to match authentication requesters with profiles of authorized users. In some embodiments, this is achieved by controlling the number of clusters and/or the number of clusters to be searched pursuant to an authentication request.

Abstract: Disclosed herein are systems and methods for storing patient medical information on a local processing device, anonymizing a portion of that medical information and storing it on a second processing device, exposing that anonymized medical information to a third processing device coupled to the second processing device through a network, and restricting users of the third processing device to only accessing HIPAA compliant medical information. Alarms are included for indicating the improper transfer of HIPAA data.

Abstract: Disclosed are embodiments directed to security methods applied to connections between components in a distributed (networked) system including medical and non-medical devices, providing secure authentication, authorization, patient and device data transfer, and patient data association and privacy for components of the system.

Abstract: Techniques for associating manufacturer usage description (MUD) security profiles for Internet-of-Things (IoT) device(s) with secure access service edge (SASE) solutions, providing for automated and scalable integration of IoT devices with SASE frameworks. A MUD controller may utilize a MUD uniform resource identifier (URI) emitted by an IoT device to fetch an associated MUD file from a MUD file server associated with a manufacturer of the IoT device. The MUD controller may determine that a security recommendation included in the MUD file is to be implemented by a cloud-based security service provided by the SASE service and cause the IoT device to establish a connection with a secure internet gateway associated with the cloud-based security service. Additionally, or alternatively, the MUD file may include SASE extensions indicating manufacturer recommended cloud-based security services. Further, cloud-based security services may be implemented if local services are unavailable.

Abstract: A machine has a network interface circuit to provide connectivity to networked machines. A processor is connected to the network interface circuit. A memory is connected to the processor and the network interface circuit. The memory stores instructions executed by the processor to record the purchase of a digital asset by a user at a client machine from a data source machine in network communication with the client machine. The location of the digital asset on one or more machines of the networked machines is archived. The location is separate from the data source machine. The digital asset is associated with a data access policy. A request for the digital asset is received. The data access policy is enforced through programmatic control utilized by one or more of the networked machines to form a consent state. Distribution of the digital asset to a networked machine is authorized in response to the consent state.

Abstract: A global partitioning-based method for anonymizing a dataset of biometric data may include an anonymization computer program: (1) receiving a value k representing a number of records to hide a biometric datum among, a value t that represents a t-closeness parameter for a t-close distribution, a weight parameter, and a first number of features to retain for determining an attribute of interest; (2) receiving the attribute of interest; (3) calculating a distribution of the attribute of interest in a biometric dataset; (4) splitting the biometric dataset into a plurality of k-sized clusters that satisfy the t-close distribution; (5) anonymizing each biometric datum in the plurality of k-sized clusters using a weighted average of landmarks for the biometric datums in k-sized clusters using the weight parameter; (6) adding each anonymized biometric datum into an anonymized biometric dataset; and (7) persisting the anonymized biometric dataset.

Abstract: A system receives a request associated with a first account to delegate, to a second account, authority to send documents on behalf of the first account. The request identifies requirements that must be satisfied before the second account can send documents on behalf of the first account. Responsive to receiving a request to send a first document to a first entity from the second account and on behalf of the second account, the system sends the first document to the first entity. Responsive to receiving a request to send a second document to a second entity from the second account and on behalf of the first account, the system determines whether the request to send the second document satisfies the requirements. Responsive to the request satisfying the requirements, the system sends the second document to the second entity on behalf of the first account.

Abstract: Disclosed are some implementations of systems, apparatus, methods and computer program products for providing contextually relevant recommendations based on a context of the user. The context of the user may be determined according to a set of privacy settings of the user, where the set of privacy settings indicates contextual features for which values are permitted to be accessed by a recommendation system. The contextual features may include user-related features and/or tenant features pertaining to a tenant of a multi-tenant database.

Abstract: The system comprises of a meeting organizer, host data processing system, at least one participant and participant data processing system and a server. The host data processing system is configured to create the meeting, list of participants, generate key for the participants and then communicate the key to the participants. The participant data processing system is configured to receive the credentials, communicate credential and key to the server and communicate the location information of the participant data processing system to the server. The server is configured to authenticate the participant, verify the identity of the participant, and determine whether the participant data processing system is located in a secured or unsecured location.

Abstract: The present disclosure relates to software tampering resistance. In one aspect, a method for generating protected code is provided, comprising identifying a primary function in code to be obscured, the primary function being a function used to verify the integrity of the code run-time. The method then comprises generating a finite state machine from the primary function, wherein a state of the finite state machine at a given instance defines an element of the primary function to be executed. The method then comprises distributing the finite state machine throughout the code to obscure one or more areas of the code.

Abstract: A computer-implement method comprises: selecting a trusted computing node via smart contract on a blockchain; completing remote attestation of the selected trusted computing node; writing secret information to an enclave of the selected node; causing a thin device to establish a private connection with the selected node without revealing the secret information; and causing the selected node to act as a proxy on the blockchain for the device. Another method comprises: receiving a signed device access request from a device owner; validating, by the verification node, the received request; executing, by a verification node, a smart contract on a blockchain based on the received request; and producing, based on the executed smart contract, an output command to access the device for the device to validate, decrypt and execute.

Abstract: A system and method for pairing two devices for secure communications. A user selects a first device to pair with a second device. The first and second devices have the ability to securely communicate with each other through the use of encrypted communications. An encryption key is written to the first device and then burned into the encryption module on the first device. A corresponding decryption key is written to the second device and then is burned into the decryption module of the second device.

Abstract: Examples disclosed herein relate to a method for defining an ingress access policy at an ingress network device based on instructions from an egress network device. The egress network device receives data packets directed to a first entity from a second entity connected to an ingress network device. Each data packet transmitted includes a source role tag corresponding to the second entity. At the egress network device, the data packets may be dropped based on the enforcement of an egress access policy. When the number of data packets that are being dropped increases beyond a pre-defined threshold, the egress network device transmits a command to the ingress network device instructing the ingress network device to create a restriction on the transmission of subsequent data packets. The command is transmitted in a Border Gateway Protocol (BGP) Flow Specification (FlowSpec) route.

Abstract: A system, a method, and a computer program are provided for securely isolating access by one or more users in a group of network users to an enterprise network implementing Multi-Protocol Label Switching (MPLS). The security system includes an MPLS Layer-3 VPN (L3VPN) instance created for a group of users to be isolated, and a remote and mobile enterprise access (RMEA) gateway with secure socket layer virtual private network (SSL-VPN) and two-factor user authentication capabilities. A de-militarized zone (DMZ) is positioned in the network to security scan data traffic between the L3VPN and RMEA gateway. The security protocol involves two-factor user authentication and establishing, on top of the L3VPN instance, an SSL-VPN session between the user and the RMEA gateway, which provides the authorized user access to the network. Additionally, data traffic to/from the user is routed through the RMEA and the DMZ.

Abstract: This document describes techniques for expanding user groups while preserving user privacy and data security. In one aspect, a method includes receiving, by a content platform and from a client device of a user, a request for a digital component that also includes a user identifier. A determination is made that the user identifier is included in a user list that includes multiple user identifiers respectively corresponding to multiple users in a user action group. In response to determining that the unique identifier is included in the user list, a digital component of the entity for which the user list is generated is selected and provided to the client device of the user for display to the user of the client device.

Abstract: A modification to an applied ruleset intended for consumption by intrusion detection systems (IDSs) is detected. A service event that is configured to push the applied ruleset to a set of test network sensors associated with the IDSs is triggered. A service subscribed to the service event updates the set of test network sensors with the applied ruleset and designates a configuration version to the applied ruleset. A notification is received from the set of test network sensors that the applied ruleset has been tested and is ready for deployment to other network sensors and a request is received to deploy the applied ruleset to a set of network sensors. A determination is made whether the request includes the configuration version designated to the applied ruleset by the service. If the request includes the configuration version designated to the applied ruleset, the request to deploy the applied ruleset to the set of network sensors is authorized.

Abstract: A pattern detector circuit is provided in a security chip, wherein the pattern detector circuit monitors accesses of a plurality of configuration registers, each of the plurality of configuration registers having a corresponding address. In response to receiving from a host a predefined sequence of accesses of the plurality of configuration registers for one or more operations to the plurality of configuration registers, a processor in the pattern detector circuit determines a value indicative of a current version of a netlist for the security chip. The determined value is made available to be obtained by a read operation by the host at a specific configuration register address.

Abstract: Automatic preparation of data related to session initiation protocol (SIP) based traffic flows in a lawful interception (LI) scenario is disclosed. The dataset that is obtained may, e.g., be used for machine learning-based (ML) and artificial intelligence (AI) tools that can identify lawfully intercepted SIP-based traffic cases. Such preparation of data reduces the 5 risk of misunderstandings between a communications service provider (CSP) and a law enforcement agency (LEA), which reduces the time dedicated by both parties in understanding the correctness of LI data provided by the CSP to the LEA.

Abstract: Disclosed examples include accessing a search term from a client device; accessing a first identifier, the first identifier corresponding to a first database proprietor, the first identifier to access first user information corresponding to a user of the client device; accessing a second identifier, the second identifier corresponding to a second database proprietor, the second identifier to access second user information corresponding to the user of the client device; providing the search term, the first identifier, and the second identifier in a message; and transmitting the message to a server.